Data breaches are on the rise, even with more sophisticated security protocols. Are regulations unable to keep up?
What is the value of information? Can you put a price on details? That depends on the details! Recently, Apple IDs were sold on the black market for about the cost of a month of a Premium Netflix Plan.
Are you familiar with the game, Clue? Any player whose first move in the game is to guess “whodunit” without any information – clues – stands a slim-to-none chance at winning the game. But listening and paying attention the entire game, gathering all of the information and using deductive reasoning guarantees a much better chance at guessing the right details about the guilty party and the crime committed.
Cybercriminals perform much in the same way as players in the game of Clue. Cybercriminals – hackers – will always vary in approach, but their goal is much the same: to gain access to data. Hackers, though also varying in sophistication, try to trick consumers into giving up usernames and passwords, or account information for banking or credit cards, or email or social media accounts.
Just like with individual consumers, professionals are attractive to hackers for the notion of gaining access to a network with a vast library of data. For this reason, the same security rules apply, whether for the individual consumer or the office worker with a username and password that accesses everything from proprietary information to customer data.
- The basics: password best practices
- Create a unique password for each account
- Hacker can use someone’s password to a single account and gain access to multiple accounts because humans have a tendency to be repetitive and predictable – which isn’t necessarily a bad thing, but in the case of secure access passwords, it is!
- Make passwords complex (characters and numbers, mix upper and lower case)
- Make it as hard as possible for a hacker to guess a password, and they move on to the next victim
- Don’t write passwords on paper and then store where visible
- While this seems obvious, it’s not always understood. Devising a challenging password and then writing the password down and storing it somewhere visible to anyone defeats the purpose of the challenging password. There may as well not be a password in this case!
- Change passwords regularly
- Keep hackers guessing and make their job that much harder! If a hacker is close to guessing a password based on other data they have access to on a particular victim, and then the password(s) is updated, the process starts all over – or it doesn’t and the hacker, as said above, moves on to the next potential victim. Too much time spent on one target without success isn’t profitable for a hacker and lessens their determination on a single victim – why keep going when the next victim might be much easier?
Information storage has become big business. Not just big business, huge business. Global Data Systems experienced an incredible increase in cloud storage interest recently, and for good reason. Our customized offering caters to the specific needs of any business. GDS has a slice of the pie – the cloud storage business is worth over $30 billion today and is expected to hit triple digits in the next 10 years. Think about that – we collect and store so much data that it’s worth in the tens of billions of dollars. The current figure is more than the GDP of Bahrain, and more than double that of Zimbabwe, and is expected to rise to more than the GDP of Morocco. Let that sink in: Consumers are producing so much data that the revenue generated from data storage is estimated to be worth more than all the goods Morocco produces in a single year soon. It seems rather an understatement to say that the stakes rise each year for data protection when you look at it from this perspective.
The healthcare industry is emerging as a major player in the data business. The medical industry has evolved and adapted to the use of electronic health records (EHR), and quick access to EHR has entirely redefined how medical professionals evaluate, diagnose and treat patients. Whether seen in the office, over the telephone, or some other communication, medical professionals can deliver care to patients immediately with immediate access to up-to-date EHR.
Accessing patient EHR inevitably involves a username and password for a secure login, given the vast amount of information stored for a single patient. Multiply this by the many patients in a given practice, and then by medical professionals everywhere, and the amount of data being stored is staggering. It’s a hacker’s dream!
Why are health records appealing for a hacker? Accessing a social media profile or email account is one thing, but we all know the ultimate goal is usually a bank account or credit card number – or it used to be. The value of health information has experienced a stratospheric rise in the cybercriminal realm. Accessing a patient’s personally identifiable information (PII) within an EHR – the combination of which is electronic protected health information (ePHI) – is the rhetorical key to the kingdom for stealing an identity. Health insurance ID numbers, social security numbers, family history, names of immediate family members, employer details, and so much more are usually on the patient information form that one fills out while waiting to see a medical professional for the first time. All of this information is a goldmine for stealing an identity and offers deep insight into possible passwords for all those accounts: social media, email, banking, and so on.
This ePHI is covered by the Health Information Portability and Accountability Act of 1996 (HIPAA) and security regulations mandate this electronically stored information be secure and protected from vulnerability. HIPAA can’t possibly cover every type of vulnerability, attack, or breach – there are just far too many hackers and each with a different approach that defining or keeping up with the multitude of possibilities is impossible. Know that data security extends far beyond the boundaries of being HIPAA compliant in this regard, though the language is vague. There are many resources for understanding the language.
With HIPAA and ePHI, there are a few main rules:
- Transmitting, or sharing, ePHI requires the information to be encrypted so it’s not hacked during transmission
- Any ePHI must be guarded so that it can’t be modified during transmission, further requiring encryption.
- The National Institute of Standards and Technology set the encryption guidelines for regulated industries like banking and healthcare.
- Violators will be punished, with fines in the millions of dollars possible, and the possibility of criminal penalties. If serving time in prison doesn’t sound appealing, follow rules and encrypt ePHI!
The best way to make sure all ePHI is safeguarded is to implement basic but formal policies in regards to data.
- No USB or other external drives allowed – this is technically considered a transmission of ePHI and it’s not likely data is encrypted for this type of transfer.
- Text or SMS message – the bottom line is that a text message with unsecured ePHI can result in a fine of $50,000 for each text message. Too many issues here, from the possibility of a misplaced smartphone with this text message still on it, to the potential for a non-secure network that can be hacked.
- Voicemail and email – this is tough; patients call and leave messages or submit a message through the “Contact Us” form on a website and leave personal details (PII), and suddenly it’s a case of ePHI and needs to be protected.
- Medical offices still love to fax – make sure the fax service is HIPAA compliant, like eFax Corporate.
Hackers gaining access to EHR or ePHI isn’t just a threat to the victim, but also a threat to the organization storing or transmitting the data. If a medical provider’s network is breached, not only is the provider at risk, but also the many patients treated.
Avoid being hacked – and the high fines – by taking precautions. Safeguard data, follow HIPAA guidelines and play by the rules! Connect with Global Data Systems today for the best in Healthcare IT services.